Belkin’s ‘Smart Home’ system has security flaws which could ‘black out’ homes – or start fires

Belkin’s WeMo home automation systems contain multiple vulnerabilities which could allow attackers to remotely control devices attached to a WeMo system – for instance, blacking out lighting in a home, or remotely monitor devices such as motion sensors, according to device security specialists IOActive.

IOActive claims 500,000 users could be at risk – and warns that the diverse range of electronics connected to WeMo sockets, which connect to a home network and are controlled via app, mean that the vulnerabilities could even be used to start fires.

Attackers could also install malicious firmware updates, changing the function of such devices, according to Mike Davis, of security firm IOActive, which specialises in securing industrial control systems and medical devices.

IOActive says that the vulnerabilities could allow attackers with no direct access to a home network to monitor the occupants using motion sensors.

Carnegie Mellon’s Software Engineering Institute’s Computer Emergency Response Team issued an advisory relating to the flaws, warning of five vulnerabilities affecting the devices, saying, “A remote unauthenticated attacker may be able to sign malicious firmware, relay malicious connections, or access device system files to potentially gain complete access to the device.”

Among the vulnerabilities listed was the fact that WeMo devices sent sensitive data in plain text, and that an attacker in control of one WeMo device could use this to relay connections to other WeMo devices on the same network, according to SC Magazine.

IOActive’s Mike Davis claims that Belkin had known about the vulnerabilities for months, but failed to act. In an interview with EWeek, Davis said, “We can confirm Belkin got the vulnerability information, as a member of the Belkin team contacted me via LinkedIn; we discussed the vulnerabilities, but they didn’t follow up on it,”

Belkin pioneered the idea of low-priced ‘smart homes’ but this year’s Consumer Electronics Show in Las Vegas was full of devices and systems built to offer ‘automated homes’ for less, as reported by We Live Security.

Over the past year, security flaws in such devices have been the subject of scrutiny, both from researchers and goverment. Security flaws in common baby monitors allowed hackers to break into the devices “easily” – and see through the cameras. The case came to light after a hacker spied on and insulted a toddler in bed, as reported by We Live Security here.

The faulty software allowed anyone with the right internet address to freely access the “feed” from Trendnet cameras – and has prompted an investigation by America’s Federal Trade Commission into the safety of “connected” devices.

“Smart TVs” – internet-connected televisions – can also be hacked, according to researcher SeungJin Lee, allowing attackers to “watch” families through webcams, and working even if the victims try to turn the set off.

More than 80 million Smart TVs sold around the world in 2012, Lee says – but, “we hardly see security research on Smart TVs.”

Lee showed off an attack on a Samsung television that allowed him to insert fake news stories into a Smart TV’s internet browser.

Philips Hue lighting system was shown to be vulnerable to attacks which can cause a “perpetual blackout” in the homes of users – turning off lights and making them impossible to switch back on – according to a security researcher.

The Hue wireless system – on sale in Apple store – controls wireless LED light bulbs in the home via a wireless bridge, and can be controlled by iOS and Android apps. But researcher Nitesh Dhanjani says that the system it uses to authenticate devices means that it’s all too easy to turn lights on and off in other people’s homes. .

Attackers could “black out” all the Hue lights from nearby (any nearby location within reach of the same Wi-Fi network) by using malware to capture one of the list of “whitelisted tokens” – and then “issue ‘all lights off’ instructions.” Dhanjani says that it’s also difficult for users to regain control of their system.

“The script infinitely issues a blackout command,” he says.

At last year’s Black Hat security conference in Las Vegas, researchers showed off hacks that could affect “connected” devices such as televisions, door alarms and toilets.

“By 2022, the average household with two teenage children will own roughly 50 such Internet connected devices, according to estimates by the Organization for Economic Co-Operation and Development,” Dhanjani says. “Our society is starting to increasingly depend upon IoT devices to promote automation and increase our well being. As such, it is important that we begin a dialogue on how we can securely enable the upcoming technology.”